| // Copyright 2022 The Chromium Authors |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| #include "chrome/browser/os_crypt/app_bound_encryption_win.h" |
| |
| #include <optional> |
| |
| #include "base/command_line.h" |
| #include "base/files/file_path.h" |
| #include "base/files/file_util.h" |
| #include "base/files/scoped_temp_dir.h" |
| #include "base/functional/bind.h" |
| #include "base/functional/callback_helpers.h" |
| #include "base/metrics/histogram_base.h" |
| #include "base/metrics/histogram_samples.h" |
| #include "base/metrics/statistics_recorder.h" |
| #include "base/path_service.h" |
| #include "base/process/launch.h" |
| #include "base/process/process_info.h" |
| #include "base/test/bind.h" |
| #include "base/test/metrics/histogram_tester.h" |
| #include "base/test/scoped_feature_list.h" |
| #include "base/threading/thread_restrictions.h" |
| #include "chrome/browser/browser_features.h" |
| #include "chrome/browser/browser_process.h" |
| #include "chrome/browser/os_crypt/test_support.h" |
| #include "chrome/browser/policy/chrome_browser_policy_connector.h" |
| #include "chrome/elevation_service/elevator.h" |
| #include "chrome/install_static/test/scoped_install_details.h" |
| #include "chrome/test/base/in_process_browser_test.h" |
| #include "components/policy/core/common/mock_configuration_policy_provider.h" |
| #include "components/policy/core/common/policy_map.h" |
| #include "components/policy/policy_constants.h" |
| #include "content/public/test/browser_test.h" |
| |
| namespace os_crypt { |
| |
| namespace { |
| |
| void WaitForHistogram(const std::string& histogram_name) { |
| // Continue if histogram was already recorded. |
| if (base::StatisticsRecorder::FindHistogram(histogram_name)) |
| return; |
| |
| // Else, wait until the histogram is recorded. |
| base::RunLoop run_loop; |
| auto histogram_observer = |
| std::make_unique<base::StatisticsRecorder::ScopedHistogramSampleObserver>( |
| histogram_name, |
| base::BindLambdaForTesting( |
| [&](const char* histogram_name, uint64_t name_hash, |
| base::HistogramBase::Sample sample) { run_loop.Quit(); })); |
| run_loop.Run(); |
| } |
| |
| } // namespace |
| |
| class AppBoundEncryptionWinTest : public InProcessBrowserTest { |
| public: |
| AppBoundEncryptionWinTest() |
| : scoped_install_details_(std::make_unique<FakeInstallDetails>()) {} |
| |
| protected: |
| void SetUp() override { |
| if (base::GetCurrentProcessIntegrityLevel() != base::HIGH_INTEGRITY) |
| GTEST_SKIP() << "Elevation is required for this test."; |
| maybe_uninstall_service_ = InstallService(); |
| EXPECT_TRUE(maybe_uninstall_service_.has_value()); |
| InProcessBrowserTest::SetUp(); |
| } |
| |
| void TearDown() override { |
| InProcessBrowserTest::TearDown(); |
| } |
| |
| base::HistogramTester histogram_tester_; |
| |
| private: |
| install_static::ScopedInstallDetails scoped_install_details_; |
| std::optional<base::ScopedClosureRunner> maybe_uninstall_service_; |
| }; |
| |
| // Test App-Bound is supported for tests. |
| IN_PROC_BROWSER_TEST_F(AppBoundEncryptionWinTest, Supported) { |
| EXPECT_EQ(SupportLevel::kSupported, GetAppBoundEncryptionSupportLevel( |
| g_browser_process->local_state())); |
| } |
| |
| // Test the basic interface to Encrypt and Decrypt data. |
| IN_PROC_BROWSER_TEST_F(AppBoundEncryptionWinTest, EncryptDecrypt) { |
| ASSERT_TRUE(install_static::IsSystemInstall()); |
| const std::string plaintext("plaintext"); |
| std::string ciphertext; |
| DWORD last_error; |
| |
| HRESULT hr = |
| EncryptAppBoundString(ProtectionLevel::PROTECTION_PATH_VALIDATION, |
| plaintext, ciphertext, last_error); |
| |
| ASSERT_HRESULT_SUCCEEDED(hr); |
| |
| std::string returned_plaintext; |
| hr = DecryptAppBoundString(ciphertext, returned_plaintext, last_error); |
| |
| ASSERT_HRESULT_SUCCEEDED(hr); |
| EXPECT_EQ(plaintext, returned_plaintext); |
| } |
| |
| // Test that invalid data is handled correctly. |
| IN_PROC_BROWSER_TEST_F(AppBoundEncryptionWinTest, EncryptDecryptInvalid) { |
| ASSERT_TRUE(install_static::IsSystemInstall()); |
| std::string ciphertext("invalidciphertext"); |
| std::string returned_plaintext; |
| DWORD last_error = 0; |
| std::string log_message; |
| const HRESULT hr = DecryptAppBoundString(ciphertext, returned_plaintext, |
| last_error, &log_message); |
| EXPECT_EQ(elevation_service::Elevator::kErrorCouldNotDecryptWithSystemContext, |
| hr); |
| EXPECT_TRUE(log_message.empty()); |
| } |
| |
| // These tests verify that the metrics are recorded correctly. The first load of |
| // browser in the PRE_ test stores the "Test Key" with app-bound encryption and |
| // the second stage of the test verifies it can be retrieved successfully. |
| IN_PROC_BROWSER_TEST_F(AppBoundEncryptionWinTest, PRE_MetricsTest) { |
| if (!base::FeatureList::IsEnabled( |
| features::kRegisterAppBoundEncryptionProvider)) { |
| GTEST_SKIP() << "Metrics only reported if provider is registered."; |
| } |
| |
| histogram_tester_.ExpectUniqueSample( |
| "OSCrypt.AppBoundEncryption.SupportLevel", SupportLevel::kSupported, 1); |
| |
| // These histograms are recorded on a background worker thread, so the test |
| // needs to wait until this task completes and the histograms are recorded. |
| WaitForHistogram("OSCrypt.AppBoundProvider.Encrypt.ResultCode"); |
| histogram_tester_.ExpectBucketCount( |
| "OSCrypt.AppBoundProvider.Encrypt.ResultCode", S_OK, 1); |
| } |
| |
| IN_PROC_BROWSER_TEST_F(AppBoundEncryptionWinTest, MetricsTest) { |
| ASSERT_TRUE(install_static::IsSystemInstall()); |
| |
| if (!base::FeatureList::IsEnabled( |
| features::kRegisterAppBoundEncryptionProvider)) { |
| GTEST_SKIP() << "Metrics only reported if provider is registered."; |
| } |
| |
| // These histograms are recorded on a background worker thread, so the test |
| // needs to wait until this task completes and the histograms are recorded. |
| WaitForHistogram("OSCrypt.AppBoundProvider.Decrypt.ResultCode"); |
| histogram_tester_.ExpectBucketCount( |
| "OSCrypt.AppBoundProvider.Decrypt.ResultCode", S_OK, 1); |
| } |
| |
| // Run this test manually to force uninstall the service using |
| // --gtest_filter=AppBoundEncryptionWinTest.MANUAL_Uninstall --run-manual. |
| IN_PROC_BROWSER_TEST_F(AppBoundEncryptionWinTest, MANUAL_Uninstall) {} |
| |
| using AppBoundEncryptionWinTestNoService = InProcessBrowserTest; |
| |
| // TODO(https://crbug.com/328398409): Flakily fails |
| IN_PROC_BROWSER_TEST_F(AppBoundEncryptionWinTestNoService, DISABLED_NoService) { |
| const std::string plaintext("plaintext"); |
| std::string ciphertext; |
| DWORD last_error; |
| |
| HRESULT hr = |
| EncryptAppBoundString(ProtectionLevel::PROTECTION_PATH_VALIDATION, |
| plaintext, ciphertext, last_error); |
| |
| EXPECT_EQ(REGDB_E_CLASSNOTREG, hr); |
| EXPECT_EQ(DWORD{ERROR_GEN_FAILURE}, last_error); |
| } |
| |
| // This policy test is here and not in chrome/browser/policy/test as it requires |
| // a fake system install to correctly show as kSupported, and this testing class |
| // already has the scaffolding in place to achieve this. |
| class AppBoundEncryptionWinTestWithPolicy |
| : public AppBoundEncryptionWinTest, |
| public ::testing::WithParamInterface< |
| /*policy::key::kApplicationBoundEncryptionEnabled=*/std::optional< |
| bool>> { |
| private: |
| void SetUp() override { |
| policy_provider_.SetDefaultReturns( |
| /*is_initialization_complete_return=*/true, |
| /*is_first_policy_load_complete_return=*/true); |
| policy::PolicyMap values; |
| if (GetParam().has_value()) { |
| values.Set(policy::key::kApplicationBoundEncryptionEnabled, |
| policy::POLICY_LEVEL_MANDATORY, policy::POLICY_SCOPE_MACHINE, |
| policy::POLICY_SOURCE_CLOUD, base::Value(*GetParam()), |
| nullptr); |
| } |
| policy_provider_.UpdateChromePolicy(values); |
| policy::BrowserPolicyConnector::SetPolicyProviderForTesting( |
| &policy_provider_); |
| AppBoundEncryptionWinTest::SetUp(); |
| } |
| |
| testing::NiceMock<policy::MockConfigurationPolicyProvider> policy_provider_; |
| }; |
| |
| IN_PROC_BROWSER_TEST_P(AppBoundEncryptionWinTestWithPolicy, |
| TestPolicySupported) { |
| const auto support_level = |
| GetAppBoundEncryptionSupportLevel(g_browser_process->local_state()); |
| if (!GetParam().has_value()) { |
| EXPECT_EQ(support_level, SupportLevel::kSupported); |
| return; |
| } |
| |
| EXPECT_EQ(support_level, *GetParam() ? SupportLevel::kSupported |
| : SupportLevel::kDisabledByPolicy); |
| } |
| |
| INSTANTIATE_TEST_SUITE_P( |
| Enabled, |
| AppBoundEncryptionWinTestWithPolicy, |
| ::testing::Values( |
| /*policy::key::kApplicationBoundEncryptionEnabled=*/true)); |
| |
| INSTANTIATE_TEST_SUITE_P( |
| Disabled, |
| AppBoundEncryptionWinTestWithPolicy, |
| ::testing::Values( |
| /*policy::key::kApplicationBoundEncryptionEnabled=*/false)); |
| |
| INSTANTIATE_TEST_SUITE_P( |
| NotSet, |
| AppBoundEncryptionWinTestWithPolicy, |
| ::testing::Values( |
| /*policy::key::kApplicationBoundEncryptionEnabled=*/std::nullopt)); |
| |
| // These tests do not function correctly in component builds because they rely |
| // on being able to run a standalone executable child process in various |
| // different directories, and a component build has too many dynamic DLL |
| // dependencies to conveniently move around the file system hermetically. |
| #if !defined(COMPONENT_BUILD) |
| class AppBoundEncryptionWinTestMultiProcess : public AppBoundEncryptionWinTest { |
| protected: |
| enum class Operation { |
| kEncrypt, |
| kDecrypt, |
| }; |
| |
| void SetUp() override { |
| ASSERT_TRUE(temp_dir_.CreateUniqueTempDir()); |
| AppBoundEncryptionWinTest::SetUp(); |
| } |
| |
| void EncryptOrDecryptInTestProcess( |
| base::FilePath::StringPieceType filename, |
| std::optional<base::FilePath::StringPieceType> sub_dir, |
| const std::string& input_data, |
| std::string& output_data, |
| Operation op, |
| HRESULT& result) { |
| base::ScopedAllowBlockingForTesting allow_blocking; |
| |
| const auto input_file_path = temp_dir_.GetPath().Append(L"input-file"); |
| const auto output_file_path = temp_dir_.GetPath().Append(L"output-file"); |
| ASSERT_TRUE(base::WriteFile(input_file_path, input_data)); |
| |
| // The binary must run from 'testdir' this is because otherwise the scoped |
| // temp dir ends with a `scoped_dir` path which conflicts with a production |
| // environment that path validation has to correctly cater for. |
| auto executable_file_dir = temp_dir_.GetPath().Append(L"testdir"); |
| if (sub_dir) { |
| executable_file_dir = executable_file_dir.Append(*sub_dir); |
| } |
| base::CreateDirectory(executable_file_dir); |
| |
| const auto executable_file_path = executable_file_dir.Append(filename); |
| std::ignore = base::DeleteFile(executable_file_path); |
| |
| const auto orig_exe = base::PathService::CheckedGet(base::DIR_EXE) |
| .Append(FILE_PATH_LITERAL("app_binary.exe")); |
| ASSERT_TRUE(base::CopyFile(orig_exe, executable_file_path)); |
| |
| base::CommandLine cmd(executable_file_path); |
| |
| cmd.AppendSwitchPath(switches::kAppBoundTestInputFilename, input_file_path); |
| cmd.AppendSwitchPath(switches::kAppBoundTestOutputFilename, |
| output_file_path); |
| switch (op) { |
| case Operation::kEncrypt: |
| cmd.AppendSwitch(switches::kAppBoundTestModeEncrypt); |
| break; |
| case Operation::kDecrypt: |
| cmd.AppendSwitch(switches::kAppBoundTestModeDecrypt); |
| break; |
| } |
| |
| base::LaunchOptions options; |
| options.start_hidden = true; |
| options.wait = true; |
| |
| auto process = base::LaunchProcess(cmd, options); |
| int exit_code; |
| EXPECT_TRUE(process.WaitForExit(&exit_code)); |
| result = static_cast<HRESULT>(exit_code); |
| if (SUCCEEDED(result)) { |
| EXPECT_TRUE(base::ReadFileToString(output_file_path, &output_data)); |
| } |
| // This ensures the process has really terminated before this function |
| // returns, as base::Process destructor does not do this by default. |
| process.Terminate(0, /*wait=*/true); |
| } |
| |
| private: |
| base::ScopedTempDir temp_dir_; |
| }; |
| |
| IN_PROC_BROWSER_TEST_F(AppBoundEncryptionWinTestMultiProcess, |
| EncryptDecryptProcess) { |
| const std::string kSecret("secret"); |
| { |
| std::string ciphertext; |
| HRESULT result; |
| ASSERT_NO_FATAL_FAILURE(EncryptOrDecryptInTestProcess( |
| L"app1.exe", {}, kSecret, ciphertext, Operation::kEncrypt, result)); |
| EXPECT_EQ(S_OK, result); |
| std::string plaintext; |
| ASSERT_NO_FATAL_FAILURE(EncryptOrDecryptInTestProcess( |
| L"app1.exe", {}, ciphertext, plaintext, Operation::kDecrypt, result)); |
| EXPECT_EQ(S_OK, result); |
| EXPECT_EQ(kSecret, plaintext); |
| |
| ASSERT_NO_FATAL_FAILURE(EncryptOrDecryptInTestProcess( |
| L"app2.exe", {}, ciphertext, plaintext, Operation::kDecrypt, result)); |
| EXPECT_EQ(S_OK, result); |
| EXPECT_EQ(kSecret, plaintext); |
| |
| ASSERT_NO_FATAL_FAILURE( |
| EncryptOrDecryptInTestProcess(L"app1.exe", L"Application", ciphertext, |
| plaintext, Operation::kDecrypt, result)); |
| EXPECT_EQ(S_OK, result); |
| EXPECT_EQ(kSecret, plaintext); |
| |
| ASSERT_NO_FATAL_FAILURE( |
| EncryptOrDecryptInTestProcess(L"app1.exe", L"Temp", ciphertext, |
| plaintext, Operation::kDecrypt, result)); |
| EXPECT_EQ(S_OK, result); |
| EXPECT_EQ(kSecret, plaintext); |
| |
| ASSERT_NO_FATAL_FAILURE( |
| EncryptOrDecryptInTestProcess(L"app1.exe", L"Bad", ciphertext, |
| plaintext, Operation::kDecrypt, result)); |
| EXPECT_EQ(elevation_service::Elevator::kValidationDidNotPass, result); |
| } |
| { |
| // Explicitly test the most frequent chrome-specific cases. |
| std::string ciphertext; |
| HRESULT result; |
| ASSERT_NO_FATAL_FAILURE( |
| EncryptOrDecryptInTestProcess(L"chrome.exe", L"Application", kSecret, |
| ciphertext, Operation::kEncrypt, result)); |
| EXPECT_EQ(S_OK, result); |
| std::string plaintext; |
| ASSERT_NO_FATAL_FAILURE(EncryptOrDecryptInTestProcess( |
| L"new_chrome.exe", L"Application", ciphertext, plaintext, |
| Operation::kDecrypt, result)); |
| EXPECT_EQ(S_OK, result); |
| EXPECT_EQ(kSecret, plaintext); |
| ASSERT_NO_FATAL_FAILURE( |
| EncryptOrDecryptInTestProcess(L"old_chrome.exe", L"Temp", ciphertext, |
| plaintext, Operation::kDecrypt, result)); |
| EXPECT_EQ(S_OK, result); |
| EXPECT_EQ(kSecret, plaintext); |
| } |
| } |
| #endif // !defined(COMPONENT_BUILD) |
| |
| } // namespace os_crypt |
